TMX Finance Discloses Data Breach Impacting 4.8 million Individuals
Reported in the April 4th, 2023, FLASH Update
- TMX Finance (TMX), along with a portion of its subsidiaries, collectively disclosed a data breach following a cyberattack that was discovered on February 13, 2023, after suspicious activity was observed. TMX's impacted subsidiaries consist of TitleMax (a leading car title loan company in the United States), TitleBucks (a company specializing in car title-secured loans or pawns as well as in-store or online personal loans), and InstaLoan (a fast-approval personal loan service). An investigation into this activity concluded that an unauthorized third-party gained access to TMX systems on December 10, 2022, and data of approximately 4.8 million individuals was exfiltrated between February 3 and February 14, 2023. The company's data breach notice explains that the exfiltrated data includes names, dates of birth, passport numbers, driver's license numbers, federal/state identification card numbers, tax identification numbers, Social Security numbers (SSNs), financial account information, and additional data such as phone numbers, email addresses, and physical addresses. The actor responsible for the cyberattack and data breach of TMX has yet to claim responsibility, and TMX has not publicly attributed the attack to a specific threat group as of April 4, 2023. CTIX will continue to monitor the TMX Finance data breach and provide updates when available.
Researchers Observe "Rorschach", One of the Fastest Ransomware Strains to Date
Reported in the April 7th, 2023, FLASH Update
- Researchers have recently observed a previously unnamed ransomware dubbed "Rorschach" that they emphasize to be "one of the fastest ransomware observed, by the speed of encryption." In the observed instance, researchers noted that Rorschach was deployed "using DLL side-loading of a Cortex XDR Dump Service Tool, a signed commercial security product," which is a loading method that is not typically utilized by ransomware operations and uses three (3) files during execution. The main payload is injected into "notepad.exe" and then runs processes in SUSPEND mode while providing falsified arguments. This technique is conducted to make analysis more difficult as well as deleting shadow volumes and backups by using legitimate Windows tools, clearing specific Windows event logs, disabling the Windows firewall, and attempting to stop a number of predefined services. Researchers explained that Rorschach has interesting capabilities that are not commonly seen in ransomware, such as making direct calls using the "syscall" instruction in order to evade defense mechanisms. Rorschach also employs a "highly effective and fast hybrid-cryptography scheme," which encrypts only a specific portion of the original file content rather than the entire file. Researchers emphasized that these capabilities, amongst others, allowed the ransomware to encrypt an environment in only four (4) minutes and thirty (30) seconds. LockBit 3.0, another known fast ransomware strain, encrypted an identical environment in seven (7) minutes. Despite having no clear-cut overlaps with any known ransomware groups, Rorschach has similarities to the leaked source code of Babuk ransomware and is suspected of taking inspiration for some components from LockBit 2.0. The ransom note also has similarities to Darkside and Yanlowang. CTIX analysts will continue to monitor Rorschach for new activity. Indicators of compromise (IOCs) as well as additional technical details can be viewed in the linked report.
Balada Injector Campaign Compromised 1 million WordPress Websites Since 2017
Reported in the April 11th, 2023, FLASH Update
- Researchers have published a new report detailing a large-scale campaign dubbed "Balada Injector" that has exploited approximately 1 million WordPress websites. This campaign has been tracked by researchers since 2017 and is known for leveraging "all known and recently discovered theme and plugin vulnerabilities" in WordPress websites. The attacks are conducted in waves, typically once a month, with a newly registered domain used in each wave. The domains redirect victims to various fraudulent websites, including lottery, push notification, and tech support scams. Balada Injector's main focus is exfiltrating sensitive information, such as database credentials, in order to maintain persistence in the event that the victim clears the infection and patches their vulnerabilities. The campaign also has the goal of collecting backup archives and databases, files that may contain sensitive data, access logs, and debug information. Adminer and phpMyAdmin are also searched for, as the legitimate tools are used to create new admin users and inject malware into the victims' databases. The campaign operators have also been observed deploying various backdoors to the compromised WordPress websites, with some instances involving dropping backdoors to 176 predefined paths in order to increase the difficulty of removing the malware. The backdoor names are also changed in each wave of the campaign to make detections more difficult. Researchers have emphasized that each wave of attacks in Balada Injector differs, so there are no specific instructions to mitigate the risk of attack at this time due to the wide variety of infection vectors. CTIX analysts urge administrators to use strong passwords and multi-factor authentication (MFA), ensure applications such as WordPress plugins are up to date with the latest patches, and monitor user accounts for suspicious activity. Additional technical details as well as indicators of compromise (IOCs) can be viewed in the report linked below.
Private Sector Offensive Actor QuaDream Linked to DEV-0196
Reported in the April 14th, 2023, FLASH Update
- Microsoft researchers have linked, with high confidence, a threat group tracked as DEV-0196 to an Israel-based private sector offensive actor (PSOA) known as QuaDream. QuaDream has been targeting the iOS devices of journalists and political figures across Europe, North America, Southeast Asia, and the Middle East with malicious spyware. QuaDream is known to market a surveillance platform to governments for "law enforcement purposes" known as "REIGN," which is "a suite of exploits, malware, and infrastructure designed to exfiltrate data from mobile devices." The malware, dubbed "KingsPawn", is developed by DEV-0196 and has a monitor agent that is responsible for reducing the malware's footprint on the victim device to evade detection. The primary malware agent has the capabilities to collect device data, cellular and Wi-Fi data, access location, gather files, access the device's camera, obtain call logs, and more. Citizen Lab researchers also observed a "zero-click exploit" dubbed "ENDOFDAYS" which they suspect was used to hack into target devices with the iOS versions of 14.4 and 14.4.1. Researchers explained that the exploit uses two (2) backdated and overlapping iCloud calendar invites (that are invisible to the account owner) as an initial attack vector and are automatically processed due to a flaw in iOS 14, which does not notify the account owner of these invites. When deployed, the spyware attempts to bypass detection by covering its tracks. QuaDream has previously been in the media for taking advantage of the FORCEDENTRY zero-click exploit in iMessage in order to deploy REIGN in early 2022, and approximately 250 of its fraudulent Instagram and Facebook accounts that were used to "infect Android and iOS devices and exfiltrate personal data" were taken down in late 2022. Additional technical details regarding DEV-0196 and QuaDream, as well as indicators of compromise (IOCs), can be viewed in the two reports linked below.
New Domino Backdoor Suspected to be a Collaboration Between Former Conti Members and FIN7
Reported in the April 18th, 2023, FLASH Update
- Researchers have observed a new backdoor dubbed "Domino" that they believe was likely developed by the FIN7 Russian cybercriminal group and is being utilized by former Conti affiliates since at least February 2023. This belief is due to code overlaps between Domino Backdoor and the "Lizar" malware family (also known as "Tirion" and "Diceloader"), which is linked to FIN7. Lizar is known to collect sensitive information from "clipboard, Discord, web browsers, crypto wallets, VPN services, and other apps." Domino's focus is to obtain victims' system information and send the data to its command-and-control (C2) server, where an AES encrypted payload is sent in return. Researchers emphasized that the returned payload, named "Domino Loader", is a second payload that has coded overlaps with Domino Backdoor. Domino is currently being used to deliver "either the Project Nemesis information stealer or more capable backdoors such as Cobalt Strike" and has been observed using the Dave Loader (which has been linked to Conti/Trickbot). Domino has been active in the wild since at least October of 2022. Additional technical details as well as indicators of compromise (IOCs) can be viewed in the report linked below.
New Details Emerge regarding Three Zero-Click Exploits Used by the NSO Group to Target iPhone Users in 2022
Reported in the April 21st, 2023, FLASH Update
- Newly released research details new Pegasus spyware activity that occurred in 2022, specifically three (3) zero-click exploits that targeted iOS 15 and iOS 16. Researchers explained that the spyware targeted at least three (3) civil society targets from around the globe in 2022, with two (2) targeting members of an organization representing victims of military abuses in Mexico. It has been reported that Mexico's military is "the longest-standing client of Pegasus, and has used the spyware to target more cell phones than any other government agency in the world." The third victim of the latest Pegasus attacks has yet to be revealed by researchers. The first zero-click exploit identified is called "PWNYOURHOME", which was deployed against iOS 15 and iOS 16 around October of 2022. This exploit has two (2) parts: the first step targets the "HomeKit" feature and the second targets iMessage. The second zero-click exploit identified is "FINDMYPWN", which was deployed against iOS 15 around June of 2022. This exploit also has two steps in which it targets the "Find My" feature and then iMessage. Upon reviewing the first two exploits, researchers were able to identify "LATENTIMAGE", which is the first 2022 zero-click exploit released by the NSO Group that was on a single target's mobile device. LATENTIMAGE targets the "Find My" feature with a different method than FINDMYPWN. Researchers emphasized that the NSO Group is actively improving and advancing its spyware to evade detection. The researchers have also not seen any successful attacks involving PWNYOURHOME when victims have had activated iOS's Lockdown Mode feature, which is one way to help mitigate zero-click attacks as it warns the user in real-time of any exploitation attempts. Additional technical details can be viewed in the report linked below.
